That page, at the iPhone developer website iphonedevsdk.com, was used to expose visitors to a previously undocumented vulnerability in Oracle's Java browser plugin. The "zero-day" exploit allowed the attackers to install a collection of malware on the Java-enabled computers of those who visited the site. Ars readers shouldn't visit the site because it still may still be compromised.

iphonedevsdk.com is an example of a "watering hole" attack. These attacks compromise a site popular with a population of desired hacking victims, using security vulnerabilities to install code on the Web server hosting it, which injects attacks into the HTML sent to its visitors. In this case, the site, which hosts a Web forum for iPhone developers, netted the hackers access to the computers of software engineers and developers working on mobile application projects for a number of companies, including Facebook. The exploit was the source of the attack on Twitter that led to the theft of Twitter usernames and passwords, according to a source familiar with the attack, and was used to infect computers belonging to Apple engineers. The source requested anonymity because he was not authorized to provide the details to the press.

While Facebook and a third party working with the company "sinkholed" the command and control server that was communicating with malware installed by the Java zero-day exploit, the site may still be a source of attacks using other exploits. Mobile developers who have used the forum in the last few months should check their systems for signs of malware.

I used that site Any hints on how to find the backdoor? Malware? And remove it?

godforsaken java...

What you should do is disable all browser plugins. Especially Java, Adobe's PDF reader and Flash. Also make sure your browser doesn't automatically open "safe" files that are downloaded (PDF is almost always on the "safe" list, and it's not safe at all).

Only enable plugins them when you visit a website that actually needs one, and turn it off right away (you can install some browser extension to make this easier).

If you think you've already been compromised, I would just re-install and be extremely careful about what files you restore from your backup. There is no other way to know for certain that it's gone.

i can not reinstall my development machine that would take me days...i am 100% certain that i disabled java long time ago, but of cause i did not check that and today i check and it is on. this is bad...

Java, after all this, is still distributed set to run in browsers by default. I find that astonishing.

Only in some browsers.

Safari doesn't include it, when you visit a Java website it warns you about the security risks and offers to install it. Once installed, if you don't use Java for a short while it will be automatically disabled. And even if you have it enabled, it constantly phones home to check for security vulnerabilities and will be disabled when a bad one comes out and it is almost impossible to re-enable until the flaw is patched (which makes Safari pretty unpopular among people who actually need Java).

Perhaps you would prefer having some hacker view and/or modify the source code for whatever apps you are working on? Or perhaps grab the private key for your iOS developer account so they can distribute malware under your name? (dunno if you are doing iOS work, but the same risk exists for other platforms).

This is partly an OS problem. We should be applying Apple's OS-X sandbox across the board (i.e. even more than they are).

Yes, it would require us to think a little differently about how we construct applications, but there's very little reason my "web browser" app needs full access to my computer. In fact, there is zero reason why I shouldn't have multiple web browser app sandboxes running in parallel. i.e. what sandbox I use for banking should be different than the sandbox I use for regular browsing. It can be the same underlying binaries, but they should be running as separate processes in kernel enforced sandboxes with some OS provided UI sugar to enable to the user to differentiate.

This would require us to change a little how we think about apps. apps are not single programs, but the collection of programs needed to do a job. i.e. your web browser app is firefox, chrome,... + whatever needs to run in its same space (i.e. plugins). You banking browser app might be the same underlying firefox, chrome... but without any of the plugins.

Of course, web browser's also have helpers (say you aren't using an adobe plugin, but when you download a pdf you want it to be able to launch in a pdf reader). All one needs is the ability for a program in one sandbox to launch programs in a separate sandbox.

Now, this is a problem, as they can infect that other sandbox (i.e. malicious pdf will leave dropping that can impact me when I view my PDF based bills/banking statements). But here we can have ephemeral sandboxes. i.e. every time firefox hands off a pdf to a pdf reader, it's actually creating a new sandbox instance that is thrown away once it's finished (and would have to have some monitoring to make sure malicious code doesn't keep it around longer than it should be). So, even if you do view a malicious file, it's changes it would be thrown away once you stop viewing it

Of course the big elephant in the room is that all this depends on the kernel providing the proper enforcement, so of course the obvious direction an attacker will take is to try an attack the kernel itself from within whatever sandbox they find themselves in. However, most of these compromises are user level compromises and there's minimal reason our OS's should be allowing them to happen.

I hate to say it, but I'm not surprised it was that site. I used to frequent back in the iOS2.0 days and it always had the feeling of a site thrown up to cover the potential next big thing. The site was always self governing and seemed to be a bit cruel towards newbies. I paid for the membership because it was a valuable resource at first, but I didn't renew when the time came.

Well if this site was hit you can almost bet that there are other sites compromised as well. Does anyone know what software they where using for their forums?

I understand the thought but for all we know any object on that site could have been hit. The forum software seems the most likely, but for all we know they could have used the ad network, or the attackers gained backend access to the host server.

What lessons will be learned from this? When will browsers like Chrome come with Flash and Java off by default with the option to enable them on a per-site basis?

How many Flash security holes have recently occurred? Stop pushing Apple's agenda based on "security". You damn well know that Apple wants to rid the world of Flash for other reasons then security or performance.

I'm on a Blackberry. I don't use Facebook or Twitter. Seriously, the world doesn't need social media. Then again, it gives me something to snicker about.

Flash is bad because it is proprietary. Of course, that isn't why Apple hates it. ;-). Years ago I got into an email battle with a DoD contractor doing a website for an Army division...all in flash. I pointed out that requiring readers to install plugins is a bad habit to teach. The reply email indicated the plugin was free, as if that matters! Nothing has changed. The government/military still uses flash.

Is this story supposedly the same as this one? If so, it certainly appears that ars has gone to lengths to obfuscate the OS X vulnerability here--specifically--why of course!--as it pertains to Apple's Mac line of PCs. (Gee, now, that's so out of character for ars!)

There is no OSX vulnerability involved in this story. The vulnerability is in Oracle Java, allowing allegedly "sandboxed" browser applets to run with full authorization of a normal program.

anybody reading this story on their Chromebook - just move along - nothing to see here. Don't worry about the horror story of how your info might be stolen by malware- there's nothing to do to clean your computer - ChomeOS doesn't have JAVA.

2.16986 years since i switched - and have never looked back. no crapware, no cruft, no bit_rot (actually runs better&faster "day-by-day", no "?#$T tax", no re-installs necessary (at worst a "five minute powerwash" will cure all ills) - just speedy, secure and simple. and no headaches. me likey

But my point was that while the Roto-rooters article was quick to mention the involvement of Macs and therefore OS X, the ars article seems to completely dance around it. And you wonder where the phrase "RDF" originated...? (Rhetorical question.)

Ars already covered that ground in an earlier story. In fact, you could have discovered that in this very article. Here, let me help:

First, look for this sentence in the article:

Quote:

The exploit was the source of the attack on Twitter that led to the theft of Twitter usernames and passwords, according to a source familiar with the attack, and was used to infect computers belonging to Apple engineers.

Now, examine that text closely in the original body of the article. Notice how the last part is colored orange? That's what we refer to as a "link." You can click on it and things happen. You should try it, it's fun and educational.

i can not reinstall my development machine that would take me days...i am 100% certain that i disabled java long time ago, but of cause i did not check that and today i check and it is on. this is bad...

As a fellow developer, I understand your hesitance to take the time needed to fix this issue... But frankly, -- and i speak from experience, here -- the truth is that you can't afford to not fix this problem, regardless of how long it might take to reinstall the OS and all your development software. You put your entire career at risk if you knowingly do development work on a potentially compromised computer.

Just bite the bullet. It'll probably hurt your productivity a little bit in the short run, but the longterm peace of mind (and your professional reputation) is absolutely worth the inconvenience.

This is partly an OS problem. We should be applying Apple's OS-X sandbox across the board (i.e. even more than they are).

Yes, it would require us to think a little differently about how we construct applications, but there's very little reason my "web browser" app needs full access to my computer. In fact, there is zero reason why I shouldn't have multiple web browser app sandboxes running in parallel. i.e. what sandbox I use for banking should be different than the sandbox I use for regular browsing. It can be the same underlying binaries, but they should be running as separate processes in kernel enforced sandboxes with some OS provided UI sugar to enable to the user to differentiate.

This would require us to change a little how we think about apps. apps are not single programs, but the collection of programs needed to do a job. i.e. your web browser app is firefox, chrome,... + whatever needs to run in its same space (i.e. plugins). You banking browser app might be the same underlying firefox, chrome... but without any of the plugins.

Of course, web browser's also have helpers (say you aren't using an adobe plugin, but when you download a pdf you want it to be able to launch in a pdf reader). All one needs is the ability for a program in one sandbox to launch programs in a separate sandbox.

Now, this is a problem, as they can infect that other sandbox (i.e. malicious pdf will leave dropping that can impact me when I view my PDF based bills/banking statements). But here we can have ephemeral sandboxes. i.e. every time firefox hands off a pdf to a pdf reader, it's actually creating a new sandbox instance that is thrown away once it's finished (and would have to have some monitoring to make sure malicious code doesn't keep it around longer than it should be). So, even if you do view a malicious file, it's changes it would be thrown away once you stop viewing it

Of course the big elephant in the room is that all this depends on the kernel providing the proper enforcement, so of course the obvious direction an attacker will take is to try an attack the kernel itself from within whatever sandbox they find themselves in. However, most of these compromises are user level compromises and there's minimal reason our OS's should be allowing them to happen.

Anybody know if the apple malware repair tool will somehow run if java wasn't installed to begin with?

I removed java some time ago, and running Check for Updates only resulted in finding the new iTunes update.

If the repair software doesn't run if java isn't installed, then this is a logical flaw.

for instance, a user could have been infected, removed java, remained infected(?), and not been able to run the repair tool because no java was identified on his box.

Any ideas from the community?

Apple's malware repair tool runs automatically all the time unless users turn it off (I'm not sure if it's even possible to turn it off).

It has nothing to do with java, it scans for and detects all kinds of malware.

But personally I would not trust any malware removal tool. They are a great idea and should be run, but if we are talking about a development machine used to deploy software around the world... no frickin' way. I would re-install, and make enquiries with Apple about how to seamlessly revoke/regenerate my public/private keypair (not an easy task...)

Once you have been compromised, somebody might have already logged into your workstation and done anything to it. If they've done that, all ur base are belong to them already.

i can not reinstall my development machine that would take me days...i am 100% certain that i disabled java long time ago, but of cause i did not check that and today i check and it is on. this is bad...

Reinstalling might not be enough, firmware (BIOS/UEFI/HDD/SSD/router/keyboard/mouse/printer) might've been compromised.Reinstalling a Windows machine is a PITA, but I'm not expecting MS to fix that any time soon. Some kind of packaga/software management is desperately needed.

The "zero-day" exploit allowed the attackers to install a collection of malware on the Java-enabled computers of those who visited the site. Ars readers shouldn't visit the site because it still may still be compromised.

Well - if you have your JAVA completely unInstalled or Disabled - you should be fine.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.